[c-nsp] Problem w/ outgoing IP on IPSEC tunnels

Garry Glendown gkg at gmx.de
Tue Sep 20 16:40:42 EDT 2005


Hi,

I've been trying to figure this out, but either the Cisco docs are
expecting something to be set without being shown or documented, or it's
a feature, or it is a bug ...

I had a 3825 configured to terminate an external site's IPSEC VPN, which
worked fine as long as the router still used another router on the LAN
as gateway to the Internet. Well, finally I moved the WAN link over to
the 3825, which lead to a different interface being used for Internet
access.

Problem is, by using a different interface to the internet, outgoing
ISAKMP connections are now using the new interface's IP. While I could
have the other side configured to use the other IP, this would not be a
sufficient "fix" as I plan on setting up a HSRP between this and another
3825 ...

Browsing through the docs as well as some Cisco books, I came across the
"crypto map XXX local-address" command, which takes the interface or
IP-address of the crypto endpoint. Anyway, it seems as the interface or
IP configured are only used for incoming connections ...

Am I misunderstanding the local-address option, is it a bug or feature,
and/or is there a way to force a router to use a certain IP
independently from the exterior interface used for routing the packets???

Tnx, -gg


More information about the cisco-nsp mailing list